Design of cryptographically secure AES like S-Box using second-order reversible cellular automata for wireless body area network applications Bhoopal Rao Gangadari ✉, Shaik Rafi Ahamed Department of Electronics and Electrical Engineering, Indian Institute of Technology Guwahati, Assam 781039, India ✉ E-mail: [email protected] Published in Healthcare Technology Letters; Received on 1st May 2016; Revised on 4th August 2016; Accepted on 15th August 2016

In biomedical, data security is the most expensive resource for wireless body area network applications. Cryptographic algorithms are used in order to protect the information against unauthorised access. Advanced encryption standard (AES) cryptographic algorithm plays a vital role in telemedicine applications. The authors propose a novel approach for design of substitution bytes (S-Box) using second-order reversible onedimensional cellular automata (RCA2) as a replacement to the classical look-up-table (LUT) based S-Box used in AES algorithm. The performance of proposed RCA2 based S-Box and conventional LUT based S-Box is evaluated in terms of security using the cryptographic properties such as the nonlinearity, correlation immunity bias, strict avalanche criteria and entropy. Moreover, it is also shown that RCA2 based S-Boxes are dynamic in nature, invertible and provide high level of security. Further, it is also found that the RCA2 based S-Box have comparatively better performance than that of conventional LUT based S-Box.

1. Introduction: Cryptography plays a vital role in secure data transmission for wireless body area network (WBAN) applications [1–3]. The cryptographic algorithms are generally based on secret key and public key systems [4]. However at present, a lot of emphasises was made on the secret key system which uses a symmetric key on both encryption as well as decryption. The data encryption standard (DES) algorithm was first published by Federal Information Processing Standards (FIPS) in 1999 [5]. However, it has been vulnerable to many attacks which results in less data security [6]. Moreover in 2001, FIPS selected Rijndael algorithm for advanced encryption standard (AES) as a replacement to DES [7]. The main criteria for choosing Rijndael was its symmetric key length, confusion and diffusion [8]. The AES algorithm has been standardised and adopted in latest IEEE Standard 802.15.6 for WBAN application due to its best performance and security [9]. The substitution bytes (S-Box) in AES algorithm plays an important role as it provides confusion in the cipher text [10, 11]. The basic function of S-Box is to transforms the 8 bits input data into 8 bits secret data using a precomputed look-up-table (LUT). Traditionally, the conventional S-Box architectures used in AES algorithm are based on LUT’s which demands large number of memory cells. Moreover, the conventional LUT based S-Boxes are also not secure enough against differential cryptographic attacks due to rigid architecture [12]. The works so far reported in the literature above mainly emphasised only on cryptanalysis of S-Box. On the other hand, there is a need to develop alternative architecture of S-Box, which is sufficiently secure against cryptanalysis, dynamic in nature with low hardware complexity which results in less power dissipation. The WBAN applications demand a ultra-low energy architecture for AES to increase the life time of battery. In this Letter, we proposed a flexible and dynamic S-Box architecture using RCA2 in order to overcome the limitations of the classical S-Box. We also analysed the level of security provided by classical LUT based S-Box and proposed RCA2 based S-Box of AES algorithm using cryptographic properties such as strict avalanche criterion, input/output entropy, nonlinearity, correlation immunity bias (CIB). This Letter is organised as follows. In Section 2 the concept of AES algorithm is revisited. The basic of cellular automata (CA) is discussed in Section 3. Formulation of RCA2 based S-Box is

Healthcare Technology Letters, 2016, Vol. 3, Iss. 3, pp. 177–183 doi: 10.1049/htl.2016.0033

discussed in Section 4. Furthermore, the performance of LUT based S-Box and RCA2 based S-Box is evaluated using cryptographic properties in terms of security in Section 5. Section 6 concludes the Letter. 2. Method: The AES is a symmetric block cipher algorithm with secret key. The length of the secret key recommended by the latest IEEE Standard 802.15.6 for WBAN application is 128 bits [9]. The AES algorithm consists of four transformations, namely, the S-Box, ShiftRows (SR), MixColumns (MC) and AddRoundKey (ARK) by which it generates cipher text over data in order to provide enough security [13]. The AES algorithm encryption and decryption process is shown in Fig. 1, the number of rounds of transformations (Nr ) is given by Nr =

SK + 6, 32

where SK = Key size

(1)

Using (1), the AES with 128 bits secret key algorithm results a total of ten rounds, out of which from 1 to Nr − 1 rounds have four transformations S-Boxes, SR, MC and ARK except the last Nr round have only three transformations S-Box, SR and ARK. The input bits are arranged in 4 × 4 matrix of bytes known as state array and each column as well as row are known as a word. 2.1. SubBytes: In S-Box transformation, each element (byte) of input data is substituted with another data (byte) using precomputed LUTs as shown in Table 1. These S-Boxes are computed by the multiplicative inverse of each element in the state using GF(28) with an irreducible polynomial P(x) = x8 + x4 + x3 + x + 1 and followed by an affine transformation. In order to transform 128-bit input data, a total of 16 ROM structures of S-Box are utilised which enormously increase the hardware complexity in the AES algorithm. The new developing cryptanalysis makes the ROM structure more prone to attacks [12]. However, in order to overcome the limitation, we proposed a RCA2 based S-Box which is cryptographically secure against cryptanalysis and also it is dynamic in nature. The LUT based S-Box in hexadecimal form is represented in Table 1. For example, if the input data is c6, then the substituted value of S-Box is determined from Table 1 by the intersection of c row and 6 column which results in b4.

177

& The Institution of Engineering and Technology 2016

key schedule in key expansion, the key can be divided into 11 groups of 4 byte words. The first 4 byte word is the initial 128-bit secret key and subsequent keys are generated in the key expansion using SubWord, Rotation Word (RotWord) and Rcon. Each ARK is four words output from the key expansion block denoted by ARK i = (w4i , w4i+1 , w4i+2 , w4i+3 ), where i = 0 to Nr. SubWord means nonlinear transformation of each byte of key using S-Box. The RotWord is a cyclic left shift of each byte in a word by one byte. Rcon is an array of constant words and the left most byte in a word is non-zero involved in direct XOR operation with the plain text and rest of the ten rounds use subsequent four words for the generation of ARKs. 3. Basics of CA: The basic CA structure is shown in Fig. 2, which consists of a groups of cells with a finite size of length from S0 to S7 which evolve using deterministic rule with each cell can store one of the two states 0 and 1. If the right most and left most (extreme) cells of this CA structure are considered to be adjacent to each other, then the CA is called as circular boundary CA. The one-dimensional (1D) circular boundary CA evolves with different neighbourhood configurations of elementary CA [14]. Each elementary CA consists of central cell i which is surrounded by neighbourhood cells of a defined radius r, therefore the total number of cells in elementary CA is given as ni = 2r + 1, including the central cell i. We considered r = 1, which results in the total number of possible different neighbourhood configurations of elementary CA L = 2ni t t with Si−1 , Sit , Si+1 cells. The next state Sit+1 of the cell i at time (t + 1) depends on the current state of central cell i and also neighbourhood i + 1, i − 1 cells, respectively, at time t with a deterministic rule of function fp. Mathematically, Sit+1 can be expressed as

Fig. 1 Sequential flow of AES encryption a Encryption b Decryption

2.2. ShiftRows: The transformation is used to create diffusion in cipher text by shifting of elements by one byte. The bytes in the first row remain unchanged whereas the second, third and fourth rows are shifted to the left by 1, 2, 3 bytes, respectively. 2.3. MixColumns: This transformation is used for attaining diffusion in the block cipher and a column operation where each column is expressed as a four term polynomial over GF(28) field and multiplied by fixed polynomial A(x) = (03H)x3 + (01H)x2 + (01H)x + (02H) with Modulo x 4 + 1. Mathematically, these operations are written in matrix form as follows, where 0 ≤ C < 4 ⎡

⎤

S 1 (x) = A(x) ⊗ S(x).

1 ⎡ S0,C 02H ⎢ 1 ⎥ ⎢ S1,C ⎥ ⎢ 01H ⎥ ⎢ ⎢ ⎢ S 1 ⎥ = ⎣ 01H ⎣ 2,C ⎦ 03H 1 S3,C

03H 02H 01H 01H

01H 03H 02H 01H

t t , Sit , Si+1 ) Sit+1 = f p (Si−1

The function fp is referred as deterministic rule which is represented by decimal form in Table 2. The total number of deterministic rules considered are given by 2L = 256 where L = 2ni. The next state of central cell Sit+1 at a time step t + 1 depends on the central cell Sit t t and neighbouring cells Si−1 , Si+1 with a defined rule fp. If the rule in CA are derived using EXOR logic and/or EXNOR logic, then it is called as additive CA. The additive CA is used in bit-error correcting code, very large scale integration (VLSI) testing and data encryption. If all the cells in CA evolve using the same deterministic rule, then the CA is said to be uniform CA.

(2)

⎤⎡ ⎤ S0,C 01H ⎢ ⎥ 01H ⎥ ⎥⎢ S1,C ⎥ ⎦ ⎣ ⎦ S 03H 2,C S3,C 02H

(4)

(3)

2.4. AddRoundKey: In ARK transformation, the round cipher keys are generated in the key expansion by bitwise XOR operation. After Table 1 LUT based S-Box y x 0 1 2 3 4 5 6 7 8 9 a b c d e f

0 63 ca b7 04 09 53 d0 51 cd 60 e0 e7 ba 70 e1 8c

1 7c 82 fd c7 83 d1 ef a3 0c 81 32 c8 78 3e f8 a1

2 77 c9 93 23 2c 00 aa 40 13 4f 3a 37 25 b5 98 89

3 7b 7d 26 c3 1a ed fd 8f ec dc 0a 6d 2e 66 11 0d

4 f2 fa 36 18 1b 20 43 92 5f 22 49 8d 1c 48 69 bf

5 6b 59 3f 96 6e fc 4d 9d 97 2a 06 d5 a6 03 d9 e6

178 & The Institution of Engineering and Technology 2016

6 6f 47 f7 05 5a b1 33 38 44 90 24 4e b4 f6 8e 42

7 c5 f0 cc 9a a0 5b 85 f5 17 88 5c a9 c6 0e 94 68

8 30 ad 34 07 52 6a 45 bc c4 46 c2 6c e8 61 9b 41

9 01 d4 a5 12 3b cb f9 b6 a7 ee d3 56 dd 35 1e 99

a 67 a2 e5 80 d6 be 02 da 7e b8 ac f4 74 57 87 2d

b 2b af f1 e2 b3 39 7f 21 3d 14 62 ea 1f b9 e9 0f

c fe 9c 71 eb 29 4a 50 10 64 de 91 65 4b 86 ce b0

d d7 a4 d8 27 e3 4c 3c ff 5d 5e 95 7a bd c1 55 54

e ab 72 31 b2 2f 58 9f f3 19 0b e4 ae 8b 1d 28 bb

f 76 c0 15 75 84 cf a8 d2 73 db 79 08 8a 9e df 16

Healthcare Technology Letters, 2016, Vol. 3, Iss. 3, pp. 177–183 doi: 10.1049/htl.2016.0033

Fig. 2 Lattice structure of CA

The dynamic nature of 1D periodic uniform CA depends on deterministic rule fp and the number of iterations. 4. Formulation of S-Box using second-order reversible 1D CA (RCA2 ): The basic function of S-Box is transforming one byte of input data to another one byte secret data using predefined LUT. The truth table of S-Box is basically a function f : B n → B m. The LUT based S-Box architecture requires more memory cells and these S-Boxes are more prone to differential cryptanalysis due to absence of dynamic in nature [12]. In order to meet the requirements of WBAN, in this Letter, we proposed a reversible CA based S-Box realisation which is dynamic in nature and cryptographically secure compared with that of classical S-Box. A CA is said to be first-order 1D CA, if the next configuration Sit+1 is the function of defined rule and present neighbourhood t t , Sit , Si+1 cells. The reversibility of 1D CA configuration Si−1 system of a given length in each output state is based on rules and the output can be realised using Boolean function [15]. If the function is invertible then the rule is reversible which is a desired property in cryptography. If the Boolean function is not one on one, then a value in the range set can map to many values in domain set, which in the process of decryption the plain text is not retrieved from the cipher text. We observed that in the first-order 1D CA only six rules are reversible. Moreover to overcome the limitations, we proposed RCA2 in which there are 64 reversible rules and the mapping of Boolean function is one on one. The basic function of RCA2 based S-Box is to transform 8 bits input data to another secret data using a combinational logic. The block diagram of proposed RCA2 based S-Box shown in Fig. 3 indicates vectors composed of length of the secret key, deterministic rule for encryption or decryption, number of time steps and size of the lattice. The 8 bits input data for RCA2 based S-Box is iteratively computed from 1 to 50 time steps using a defined deterministic rule and 8 bits input secret key. The structure of RCA2 is slightly different as that of first-order 1D CA, the results obtained with first-order 1D CA are XORed with the previous value of the central cell i at time step t − 1 in order to achieve the new configuration of RCA2 at a time step t + 1. The next configuration of central Cit+1 for RCA2 at t + 1 depends not only on present cell Cit but also on the previous cell Cit−1 , as shown in Fig. 4. Mathematically, the RCA2 is represented by Cit+1 = (Cit ⊕ Cit−1 )

(5)

where (Cit , Cit−1 ) = (Sit+1 , Sit−1 ), respectively, at discrete time step t + 1 and t–1. The switches of multiplexer are activated and deactivated according to the control signals (input secret key) and the output of multiplexer is mapped according to the stored 8 bits

rule in the register with the control signals as shown in Fig. 4. Initially, the 8 bits register is loaded with a deterministic rule, the register R1, R2 are used to store the secret key and the secret key of register R2 used as control signal to the multiplexer. The output of the multiplexer is XORed with the previous value stored in the register R1 iteratively. The RCA2 structure is based on combinational logic and control signals as shown in Fig. 4. The output of the combinational logic depends on the control signals. The control signal used in RCA2 can dynamically implement various functions according to the different rules. This makes the RCA2 dynamic in nature as the rule can be changed at any instant of time subsequently the output of multiplexer also changes accordingly (Fig. 5). In RCA2 algorithm, D is the initial data loaded on the array of registers, fp is the input rule vector ranging from [1:256] and NOI means the number of iterations [1:50] and S0–S7 is defined as size of the lattice. Hence, in RCA2 algorithm there exists 28 possible random initial states which are taken into consideration. However, the 8-bit random initial states of RCA2 evolve using different 256 deterministic rules and number of iterations which are considered from time step 1 to 50. There exist a relationship between time step t and group of CA cells S0–S7 in a lattice as the variation of output is high if the time step t ≥ size of the lattice. 5. Results and discussions: The functioning of S-Box is to map 8 input bits to 8 output bits using predefined table known as LUT μ : GF(B n)  GF(B m) [16]. Mathematically, the LUT based S-Box and RCA2 based S-Box are derived using Boolean function in order to study the level of security using cryptographic properties. In cryptography, the Boolean function used to encrypt the plain data must be diverse and mapping from input to output should be one on one, so as to provide enough security and proper decryption. Finally, the 28 output bits are transformed into a single output bit using Boolean function fi: B n → B. In a S-Box, if μ: B n → B m and hence there exists m number of function μ = { f1, f2, …, fm}, where i ∈ [1, m]. The truth table in polarity form is written as follows: fk (x) = (−1) f (x) fb (x) = (a1 f1 (x) ⊕ a2 f2 (x) ⊕ a3 f3 (x) . . . ⊕ am fm (x))

(6)

fβ is a Boolean function of the linear combination of m functions fi (x), i ≤ m, where αi ∈ B m are coefficient of the linear function. The RCA2 based S-Boxes are flexible, dynamic in nature and more resistant to differential cryptanalysis as these provide enough level of security compared with that of LUT based S-Box. We considered size of the RCA2 lattice to be 8 bits, the secret key of 8 bits and examined with different 256 number of rules for 28 different combinations of 8 bit lattice iteratively from 1 to 50 time steps. The level of security of S-Box is observed using the cryptographic properties, namely, the CIB, strict avalanche criteria (SAC), nonlinearity and entropy. If an S-Box satisfies these cryptographic properties then the S-Box is cryptographically secure against cryptanalysis. The observed boundary values of nonlinearity, CIB, strict avalanche criterion and entropy for a standard LUT based S-Box of AES algorithm are presented in Table 3. It is clear from Table 3 that the proposed RCA2 based S-Box attained 10% better nonlinearity compared with that of Clark et al. [18], Millan [19] and Nedjah and Mourelle [20].

Table 2 Truth table for rules 90 and 75

rule 90 rule 75

27 111

26 110

25 101

24 100

23 011

22 010

21 001

20 000

0 0

1 1

0 0

1 0

1 1

0 0

1 1

1 1

Healthcare Technology Letters, 2016, Vol. 3, Iss. 3, pp. 177–183 doi: 10.1049/htl.2016.0033

decimal 90 decimal 75

179

& The Institution of Engineering and Technology 2016

Fig. 3 Block diagram of RCA2 based S-Box

The value of CIB is 15% better than that of Clark et al. [18]. The attained value of nonlinearity and SAC for proposed RCA2 based S-Box are comparatively better than Hussain et al. [17]. 5.1. Strict avalanche criteria: If one input bit is changed in a Boolean function, then half of the output bits should be changed [21]. For a Boolean function, if f is to satisfy SAC the following condition, f (x) ⊕ f (x ⊕ a) should be balanced, where the Hamming weight of α is 1 and SAC is represented by YS dSACf = max1≤i≤n |2n−1 −



f (x) ⊕ f (x ⊕ cni )|

(7)

x[Bn

B n consists of all the possible inputs in the n variable function which is basically 2n different inputs cni consisting of all the elements in B n whose Hamming weight is 1 YS = max (SACm )

(8)

If the value of SAC is less, then the observed cipher is secure enough against cryptographic attacks. We infer that the achieved value of SAC is best for rule numbers 30, 45, 89, 90, 141 as shown in Fig. 6. Moreover, we found that 31.0323% RCA2 rules out of 256 had better SAC value than that of LUT based S-Box as shown in Table 3. 5.2. Entropy: This property provides us the amount of information in the input bits, when output bit are already known [22]. There exists 2n possible inputs and 2m outputs for a Boolean function of n input and m output. The (i, j)th input/output bit to bit entropy

Fig. 5 RCA2 with 256 rules

of S-Box is computed with H(xi /fj (x)) and represented by HS H(Pi ) = Pi log2

1 1 + (1 − Pi ) log2 Pi 1 − Pi

(9)

where Pi is the fraction of ones in the output side  xi [i [ {1, n}, j [ {1, m}] mj HS = min (Hm )

H = min H

(10) (11)

where H(xi /mj ) is the entropy corresponding to the probability P(xi /mj ). For an observed cipher, if the entropy value is high then the data is highly secure. The best value observed for entropy is 0.9972 as shown in Fig. 7 and also best values of entropy are achieved at rule numbers 30, 57, 86, 99, 135, 149 which are presented in Table 3. We also found that for RCA2 based S-Box 26.0323% out of 256 RCA2 rules have better entropy value than that of standard LUT based S-Box. 5.3. Nonlinearity: The nonlinearity of a Boolean function is the minimum distance from the function to the set of affine functions and nonlinearity is represented by